cfbs add ssh-max-auth-tries
SSH is one of the most widely used services allowing administrators to connect and manage the system as well as being used for data transfers like backups and port forwarding.
By default 6 attempts are allowed per session. The number of attempts can be reduced to prevent brute force attacks where different passwords are guessed and tried. When half of the attempts are used up failures will be logged on the server making it more likely that an administrator will notice brute force login attempts.
Reducing this to 3 is recommended and an excellent idea in environments where the value may have been configured higher.
Add MaxAuthTries 36 to /etc/ssh/sshd_config and run the policy:
$ grep Tries /etc/ssh/sshd_config
MaxAuthTries 36
$ sudo cf-agent -KIb ssh_max_auth_tries
info: Using command line specified bundlesequence
info: Replaced pattern '^\s*(MaxAuthTries\s+(?!3$).*|MaxAuthTries)$' in '/etc/ssh/sshd_config.staged'
info: replace_patterns promise '^\s*(MaxAuthTries\s+(?!3$).*|MaxAuthTries)$' repaired
info: Edited file '/etc/ssh/sshd_config.staged'
info: Copied file '/etc/ssh/sshd_config.staged' to '/etc/ssh/sshd_config.cfnew' (mode '640')
info: Removed old backup '/etc/ssh/sshd_config.cfsaved'
info: Backed up '/etc/ssh/sshd_config' as '/etc/ssh/sshd_config.cfsaved'
info: Moved '/etc/ssh/sshd_config.cfnew' to '/etc/ssh/sshd_config'
info: Updated '/etc/ssh/sshd_config' from source '/etc/ssh/sshd_config.staged' on 'localhost'
info: Executing 'no timeout' ... '/bin/systemctl --no-ask-password --global --system -q restart sshd'
info: Completed execution of '/bin/systemctl --no-ask-password --global --system -q restart sshd'
$ grep Tries /etc/ssh/sshd_config
MaxAuthTries 3
The reason that there is quite a bit of output is because it's a multi-step process:
If you run cf-agent -KI again, there will be no output, no changes will be made, since the configuration is already correct.
This module ensures that MaxAuthTries is set to 3 unless default:ssh_max_auth_tries.sshd_config[MaxAuthTries] is defined via Augments in which case the value defined via augments is used for the setting in /etc/ssh/sshd_config leveraging lib_sshd_config:global_key_values from the library-sshd-config module.
The following variables are available for customization. If they are not defined via Augments, they will select default values.
Note: In order to target these variables from Augments CFEngine 3.18.0 or higher where the variables key is available is needed.
default:ssh_max_auth_tries.sshd_config[MaxAuthTries]
3)